Fortbridge researchers have unearthed multiple security bugs in a popular open-source content management system (CMS) allowing threat actors to secure full control of the underlying web server.
The vulnerabilities become more threatening when combined with the insecure use of the uniqid() function that allows cybercriminals with low privileges to achieve remote code execution (RCE).
“The uniqid() function was not cryptographically secure. Instead, it returned a pseudo-random number, allowing us to guess the name of a pseudo-random directory and then upload a web shell on the server,” Adrian Tiron from Fortbridge explained. As of 2021, more than 62,000 live websites are designed with Concrete CMS.
The first bug discovered is a race condition in the file upload function that allows a Concrete CMS user to upload files from a remote server. Files are downloaded to ‘$temporaryDirectory’ – a class called VolatileDirectory which creates a temporary directory, that gets deleted at the end of each request.
According to cybersecurity researchers, the name designed of the directory will always be random, and so in order to guess the name of it, researchers needed to brute-force this directory to find where it was coming from.
A single brute-force request takes 100ms to implement, meaning that researchers needed more time to carry out their attack. As they looked to bypass the 60-second cURL timeout, they turned to the uniqid() function, which returned the time and day to the microsecond.
“We will add a sleep() for 30-60 seconds in the test.php file which gets downloaded from the remote server. This will basically force the CMS to keep the $temporaryDir directory for 30-60 seconds on the local filesystem before deleting it. Enough time for us to brute-force the directory name with Burp Turbo Intruder,” researchers added.
How to keep site safe
Users should always keep software up to date with security patches and new releases. This includes operating systems, web services, server-side parsers, content management systems, databases, and all plug-ins.
Users are advised to uninstall all applications and services that aren't necessary and only run services that are required for their website and CMS to operate. Use a password manager which will help in ensuring that you use unique passwords on every site.
